Continuing the discussion from Fedora Strategy 2028: February/March Planning Work and Roadmap 'til Flock:

Forward

@mattdm you asked for input on the Fedora strategy for the next 5 years, so by golly you’re getting it.

There’s one point that I don’t see reflected in the logic model, and that has to do with the perception of Linux in the security and privacy space. I think that part of that is because this would be considered part of the ‘everyday’ things we should be working on, and the other part is based on the north star of “does this work toward doubling our active contributors.”

Why would I bring this up?

Security on Linux is considered a given by many in the community. I also think that every community that produces a distro would think that their own offering is secure. Personally, of course I think that Fedora is secure. I know that the Fedora Project thinks Linux is secure or otherwise what are we doing here. However, there is an important group that does not consider Linux to be secure enough, and that is some people in the digital privacy community.

What do I mean by people in the digital privacy community?

The average Linux user is probably somewhat concerned with privacy. Many people who want to improve their security and privacy will think to switch to Linux. There’s a whole little world of people who go above and beyond their threat models to be as private or secure as they can be as individuals. Those people go on to give advice to regular folks trying to learn more. When I talk about the privacy community, I’m talking about people who are focusing on their own security and privacy standing. I’m not talking about cybersecurity professionals who are thinking about security for companies and organizations.

To get to my point,

Linux is not viewed as secure by some reputable resources for digital privacy, and I would like us to address their concerns in the next 5 years.

Don’t shoot the messenger! Privacy Guides and PrivSec both have articles where they list security deficiencies compared to Windows, macOS, and/or chromeOS. Then there’s the famous Linux Insecurities post by Madaidan that I’m sure some of us have seen before. Many times when the question comes up of whether Linux is secure, these sources will be linked.

Their concerns consist of the following:

• Lack of proper application sandboxing
• Not enough exploit mitigations
• Monolithic kernel (not much we can do about this one)
• Lack of verified boot
• Difference in security of desktop Linux vs server Linux
• Lack of immutability
• Inability to harden to the point of competing with macOS
• Probably more…

Why should we care what these folks have to say about Linux security?

To be honest, I’m not technical enough to know how right or wrong these claims against Linux security are. I don’t know what context or threat model I’m missing. I don’t know whether to interpret these faults as being so dire I should avoid Linux for security. The reason for the concern is because these sites that are respected for privacy in general share this view, so who am I to disagree? There can be lots of people in my shoes who see this view of Linux coming from experts and don’t know whether they should try Linux at the end of the day. Who wants to install a supposedly insecure OS?

Furthermore, whether we agree with these sites or not, their opinions hold sway in the privacy community. If you ask about Linux security, other people who you would otherwise trust will tell you about these faults, quoting these sources. Then they will go further and suggest that Linux is so insecure that it shouldn’t be considered for use at all. One crowd thinks something can’t be private if it’s not secure. Another that if something is not the most secure option then it is not secure at all. Many of these complaints will probably always exist, and they’re not unique to Linux. However, Linux gets caught up in it because the criticisms ultimately come from valid sources in the privacy community. Here’s an example of how this tends to go.

These two points together affect the perception of Linux and Fedora by extension. Folks who come across these opinions, whether true or not, are less likely to want to try Linux.

What is this - Joseph’s insecurities?

Maybe, I don’t know. As far as I can tell the core concerns listed are valid. As a non-technical user, it makes me second-guess my choice to run Fedora instead of chromeOS or macOS. I would hate to think that I’m exposing myself more by using Linux. To be clear, I don’t think I am, but the fear is there in the back of mind, and in some sense it’s not untrue.

At the same time, it’s not like we aren’t already making progress in these areas. Every resource I’ve come across has suggested Fedora as the top distro to consider if someone wants to switch to Linux for security and privacy, despite their hesitation. Who is developing an immutable system that will one day hopefully replace a flagship spin? Fedora. Who is working on increased application sandboxing? Fedora, based on our support of flatpaks. Who is fixing the funny X11 quirk where any open window has access to everything going on in the desktop environment? Fedora is, with Wayland.

Then there’s the impact that these views have on real people. Maybe it’s totally negligible. How many people are actually be scared away from using Linux? I don’t have a way of telling. If most of the people reading this post have never heard of these concerns then that proves the point even more than I’m making a mountain out of a mole hill.

But you know what? Matthew Miller said to think about where we would like to see the Fedora Project in the next 5 years. Personally, I would love it if in 5 years we could see all of these security concerns addressed so that even more people can feel confident in their system. Free and open software brings a lot of good into the world, and I would like for security to be an undisputed benefit of Fedora.

Thank you for coming to my TED talk.

I see your point as being EXTREMELY valuable.

I’ve been talking about how we could (and since I’m unable to follow development as closely as I did before, I’m not sure that we’re not currently doing it) be doing so much more when it comes to security with relatively simple changes.

TPM2

First and probably most important, verified boot and unified kernel images, which is slowly but surely getting there, but the best we can do right now isn’t being offered. As Anaconda’s been getting a facelift one chance we have is to make TPM2 usage easier for the average user.

Since I’m not a developer I can’t say how hard this would be to implement, but I live to see the day our installers will have two extra checkboxes to tick on install (if the installer detects that the system has a TPM2 chip), one for using it to secure your LUKS encryption password, which would proceed to ask for the user to create a PIN if the second option is not checked; and the second one, that would allow the user to boot directly to their system without the need for the LUKS password or its PIN (both of them basiaclly using systemd-cryptenroll behind the scenes).

Secure Boot with third-party kmods (mainly NVIDIA)

This one is surely easier to implement, since Ubuntu already does it. Either in the installer (probably the easiest to implement) or during the first setup the install process should offer the user the option to create and enroll their own secure boot key, with which the system would sign its kmods. It doesn’t need to be a complicated process, just a checkbox with the right wording.

It’s mainly used to guarantee that the user isn’t forced to turn Secure Boot off if they want to use NVIDIA drivers, virtualbox or any other third-party kernel module.

Even though Fedora supports FOSS first and foremost, implementing this would alleviate a lot of figuring it out from the users who need this, instead of:

1st: figuring out how to install the third-party modules they need and installing them;
2nd: figuring out why their modules aren’t working, which of course is secure boot;
3rd: them blindly disabling secure boot in order to get those to work, in a similar way that some people disable SELinux the second it stops something they need working from working.

Firewall

This is more of an upstream issue than anything (since KDE does support this), but firewall-config is really old-looking and feeling at this point and needs a facelift, and since we don’t have a way to interact with it through GNOME, it’d be good to have a GUI app to deal with it well whenever needed.

Thought about this, and I think it might best fit in under Focus Area: Technology Innovation & Leadership, and I’m setting a bookmark so I refer to it and mention it when that comes around.

Thanks for considering it! Looking forward to feedback from the community.

“When” is now! I’ve included this in Fedora Strategy 2028: Focus area review (Technology Innovation & Leadership).

As with the others, I’m setting a timer to close this topic in a month.

Here’s my personal thoughts on this… security and privacy are important, and this is an area where Fedora has led before (with SELinux, for example). And looking through the Privacy Guides post, I’m happy to see that we’re doing pretty well in a lot of the areas (and Fedora Workstation and Silverblue are (respectively) their top recommendations for traditional and immutable desktop Linux. I can see the strength in building on this.

On the other hand, increasing security generally comes with a user experience cost. See Should Fedora enforce drive encryption on new installs? for some strong opinions on the downside of default full-disk encryption, for example. Or Network Manager sending regular unencrypted requests? — we could disable that, but then “captive portal” detection wouldn’t work and it’d be hard to get wifi to work at airports and hotels. If we go too far in restrictions, we may push ourselves more into a niche than towards general use.

I’m also unsure we can live up to promises in this area — we generally try, but overall we don’t sharply restrict all of the software we include and in general a lot of it tends to be somewhat … open. I’m not sure how we’d square that with an intentional focus on privacy.

I think we definitely should do some of these things — better Flatpak sandboxing and more secure boot, for example. But I think maybe for the strongest protections we should work with e.g. Qubes downstream, so that people who have the strongest concerns have a good option there — and then we can bring in improvements that make sense.

Having a full disk encryption enforced like pop os or a userspace /home encryption will give a edge to the security and privacy obviously it have many concern but still encryption is always good.

I definitely see where your coming from in terms of balancing increased privacy and security with user experience and being open for users to be able to use Fedora without trouble. To answer the question of how far should we go, we should figure out the threat model that Fedora is trying to solve for. Put another way, what are the probably threats that Fedora should protect against?

If we understand the threat model that Fedora is trying to protect against, then we know what features and projects we should be handling for our distro and what areas are too advanced for us to be worried about. This helps us to define our limits for this objective and can get us closer to the specific language that we may want to use if we include this objective in Strategy 2028.

I also see your point about leaning on downstream projects to cover our bases. Firefox doesn’t have to worry about the most extreme threat models because the Tor Browser covers those. Likewise we benefit from Qubes OS being downstream from us and being one of the best OSes you can use for the highest threat models in the world.

Fedora compared to the competition

My counterpoint to that is that the gulf between Fedora and Qubes is too wide. What market of users is Fedora trying to reach? Ideally, the average computer user could use Fedora.^[1] Who else is in that market? Windows, macOS, and chromeOS. It is also reasonable to assume that the threat models that those operating systems are protecting against should be the same as what we are trying to protect against. We’re shooting for the same users who have the same things to protect.

In the Linux world, as it stands in the opinion of influential privacy advocates, you can get awesome privacy at the cost of a less secure OS (in their opinion). If that’s not good enough you can jump to Edward Snowden levels of security and use Qubes OS - a Xen hypervisor that runs virtual machines for everything and the kitchen sink. The complexity, hardware requirements, and inconveniences that a user has to get to just to reach the next rung in Linux security are high.

image778×591 111 KB

In the face of that gap, what are the alternatives that are recommended? First recommendation is macOS because it’s secure, can be made private enough that security researchers trust it, and comes with tech support from a manufacturing giant. If that’s too expensive, get a chromebook, which can run as cheaply as $200 and cover any price range before matching that of a macbook. If you need app compatibility, some privacy advocates might even recommend hardening Windows before considering a jump to Linux on the grounds of better sandboxing, more use of Rust to avoid memory unsafe languages, or other reasons.

Suffice it to say that from a security and privacy perspective, many people would put Linux on the bottom of recommendations, Qubes on top, and macOS as the most accessibly next best alternative. The rest are left to fight among themselves with their pros and cons. I would like to see Fedora competing with macOS in that line up.

Now, there is a practical element to this. Microsoft, Apple, and Google are some of the biggest companies in the world. They have loads of money to pour into the security and privacy of their OSes however they see fit. We do not have the same resources and therefore should not be expected to implement on the same level. I’m probably speaking out of inexperience, but assuming that is true, that does not mean that we should not be trying to implement the same solutions - just that we should manage expectations on how long it will take to make that happen. Even then I wonder whether we can’t surprise ourselves by focusing on this more.

Last thing I’ll mention is the thing I conveniently left out when comparing Fedora to Qubes, and that is Silverblue. Arguably, our immutable variants answer many of the concerns privacy advocates have about Linux. It brings an unchanging core OS, with sandboxing that’s getting better, and with a more secure display server. It sounds like we’re already on our way to solving this problem. Therefore, my preference is to continue this progress by prioritizing security and privacy features rather than resting on our laurels.^[2]

Fedora’s threat model

Here is Privacy Guides’ article on threat modeling. It comes from the perspective of a user deciding what they need to protect and how far they need to go, but we can also apply this from the perspective of the tool.

Quoting from the article:

To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions:

1. What do I want to protect?
2. Who do I want to protect it from?
3. How likely is it that I will need to protect it?
4. How bad are the consequences if I fail?
5. How much trouble am I willing to go through to try to prevent potential consequences?

Here’s my first shot at answering these questions. Maybe we can work together on the answers to these questions until we land on an answer that accurately reflects the state of Fedora today and the intentions of Fedora tomorrow.

Sidebar:

image486×679 98.6 KB

It’s late now, but I didn’t want to hold up the rest of my thoughts with my threat model analysis, so here is half of what I want to say, lol

Edit: My take on the threat model is further along in this thread.

Fedora Security Lab?

As a last point that could be where we compromise for those changes and adjustments that we feel are too cumbersome for Workstation, we could have a Lab specifically to give users Fedora with all the security tweaks out of the box. I know that we already have a Security Lab but I don’t know to what extent they already do this. It seems to me like that Lab is more focused on using Fedora for a security job like pentesting (like Kali Linux) rather than providing extra security configs for the user. If not this Lab, maybe another Lab could be made for this purpose and that’s how we cover our bases. Just an idea, but this is too practical for our current stage. Just mentioning it so that we feel that the objective is practical enough to consider adding to the five year plan.

1. I know there are hurdles, but let’s work on the assumption that a Fedora computer is just sitting in front of an average user. We want that person to feel like they can use that computer without much trouble. ↩︎

2. I know we’re not saying to do that either, but those are the two competing views. ↩︎

(I work on Privacy Guides)

There is a big difference between a security feature being opt-in versus a security feature being missing entirely though. I will say full disk encryption not being enabled by default is a bit unfortunate, but I think that Microsoft and Apple only get away with it because they push people to use OneDrive and iCloud to backup all their files, so I can see why you couldn’t do that. Suggestions like disabling all unencrypted network requests make no sense really^[1], and even in that case the first reply solved that with two lines of config

On the other hand, many of the missing security features in Linux are not “hidden behind a switch,” they’re missing entirely, either because nobody has tackled those issues yet or by design. To be honest… There are really 3 main things I personally want to see (and they’re the ones I see the most people agree with too), but they’re pretty big things:

• Better verified boot… doesn’t make a lot of sense with traditional Workstation really, but with image-based distros like Silverblue where “the system” is actually a well-defined concept it feels more important. I don’t know if progress is being made on the Has Silverblue achieved Verified Boot? - #3 by siosm front?
• Better Flatpak sandboxing: Also, I don’t think it actually matters how theoretically secure Flatpak can be if unsafe configurations are allowed by default. The issues mentioned on flatkill.org with filesystem=host/home are still a thing as far as I’m aware. Users should — at minimum — be warned about something like this when launching these apps.
• Better permission management. This is kind of related to the last point, but the OS needs to be much more proactive on controlling access to sensitive resources. Android and iOS of course do this, and I think macOS is the current gold standard of this on the desktop. Prompting users when an app tries to access sensitive folders like the Desktop or Documents, and requiring explicit configuration changes to let an app obtain full storage access; and prompting users whenever protected resources are accessed are all things that macOS does very well, and I think Linux needs to take it more seriously.

I don’t really know who needs to work on this stuff, Fedora? GNOME? Flatpak? Linux?

I also don’t think user experience costs are a good reason to exclude any security feature entirely. More on that:

This Tor Browser example actually highlights the role I would like Fedora to have when it comes to downstream security distros. Tor Browser really benefits from Mozilla’s work on Firefox for nearly all of its browser-based privacy and security features, because patches like letterboxing, fingerprinting resistance, first-party isolation, etc. were pulled upstream into mainline Firefox, saving Tor developers a lot of hassle when it comes to maintaining their fork. In a perfect world, Fedora could have all of the security features a downstream distro might desire, simply locked behind opt-in preferences when those features would break other functionality.

…And if that is ever the case, then a security-focused Lab would be a great addition to Fedora. As you already noted the current “Security Lab” has this problem, but a Hardened Lab variant would be great. However it isn’t possible to do in Fedora’s current state because the security features we’re looking for aren’t a matter of tweaks you can make, otherwise we’d simply list those tweaks on Privacy Guides in the first place and call it a day like we do with Firefox.

There’s a lot of work to be done to get Fedora on par with macOS security, which is what I think the overall objective should be.

On a semi-related note… Every time I look at Fedora Silverblue I just end up wishing RedHat had invented snaps instead of Canonical, because containerized desktop and CLI packages with automatic, atomic updates is exactly what I wish Silverblue had, and would bridge the gap between it and Fedora IoT. I almost wish Podman would try and cover Flatpak’s use-cases on desktop, but I don’t think that will happen. With the state of how I see most people use Silverblue right now though (lots of unsandboxed Flatpaks and every single CLI tool inside toolbox), Silverblue kind of feels like the modern version of this classic xkcd.

Thanks for reading my ramblings… Thanks @joseph for letting me know about this thread.

1. I won’t argue that certain people in the so-called “privacy community” love to check every single box they can without contextualizing things, and have a very black-and-white view of privacy and security lol, but just to be clear I don’t think that hardening by default at the sake of everything else is anyone’s serious objective.
   The OP states that “there’s a whole little world of people who go above and beyond their threat models to be as private or secure as they can be as individuals,” but IMHO the security concerns with Linux we mention (on Privacy Guides at least) are things that we believe actually impact real, everyday people. It isn’t “Edward Snowden-level” LARPing to want random apps sandboxed from all of my personal data. ↩︎

Thanks for chiming in with your thoughts! The specific priority examples help to narrow down what to focus on. They help to judge if this is something that Fedora can make a dent in.

For the objective and impact, I think we can start with this based on our thoughts:

Objective: Fedora Linux is as secure as macOS.
Impact: Fedora is recommended as the most secure and private OS for average end users.

The technologies that we can influence may be different, but if Fedora can use macOS as example for the kinds of security features we should implement, I think we’d be headed in the right direction. We’d be taking concrete steps that have been taken by another OS. At least it’s been done by someone else.

Now I’ll take a crack a Fedora’s threat model.

What do I want to protect? We want to protect anything that a user might do or store on their computer. That means protecting everything done in applications, everything done on the web in as far as a distro can help with that, and all of the files and user data stored on the device. This could even go as far as watching what happens with meta data, but at that point I’d be talking out of my depth.

Who do I want to protect it from? I think the best way I can divide this up is into three buckets based on Techlore’s video on threat modeling: people, companies, and governments. People represents scammers, hackers, script kiddies, and individual or small group attackers who are trying to gain access to systems. Companies are usually not interested unauthorized access to computers from a security angle, but they are interested in privacy invasive solutions that leverage their relationship with customers or potential customers to acquire data. Many times they are grabbing way more data than users realize (it’s a whole thing). Governments are literal state or state-sponsored attackers with resources that only other states can afford. They are interested in getting past security AND minimizing the privacy of their targets.

I think that the average user definitely wants a secure computer that keeps the hackers away. Next, if they knew how far companies go to take their data, they would probably want to stop that tracking if it was accessible for them to do so. Lastly, for governments, I think the average user counts that as a lost cause. However, Linux has a sizeable user base that does want their system to be as secure as possible even against governments. Not that I think we can do a whole lot that wouldn’t already be overlapping with the first two threats, but I think that governments should be marked as a nice-to-have wherever we can see a benefit in that area. I’m not sure how much we can realistically do about that.

How likely is it that I will need to protect it? For an individual user, I think a good chunk of that will be determined by how they think about their own digital security. For us as a distro, we have to assume that Fedora machines will be targeted frequently, and if it’s not us, it’s RHEL and RHEL based distros as well. I know that they aren’t doing all of the extra things you need for a personal computer, but I think it still bears consideration. I’m not sure how to measure or quantify this, though. Does Linux get targeted with malware? Yes. How much is enough of a threat to warrant more action on our part? I don’t know.

How bad are the consequences if I fail? Similarly to the previous question, the consequences are a compromised machine that a user may continue to use without knowing they have been compromised. More than just loosing access to an account, for which there may be alternatives or support lines, getting your computer hacked could mean getting everything else hacked. It’s a pretty bad game over. As mentioned before, a lot of this depends on the choices made by a user, but we should start them off on the best footing they can have from the OS perspective.

How much trouble am I willing to go through to try to prevent potential consequences? That’s the question, isn’t it? In the face of all the threats users may face, and how important it is to get right, how can we choose anything other than maximum security? Then you run into the conveniences that you lose with security at all costs. As many are fond of saying, the best way to be secure is to turn off the computer and never use it. But that’s not realistic. Every OS and distro does the balancing act whether they like it or not, so how do we decide how far to go?

Maybe this is a model we can start with:

1. Identify the user experience expectations of the average user for a given use case.
2. Anything that does not negatively impact the user experience expectation should be made as secure as possible. Things like implementing proper sandboxing with flatpak or ironing out bugs in Wayland fall in this category.
3. If the security concern is part of the user experience expectation, we should facilitate the more secure option. That can take different forms. One way could be to provide a more secure option alongside the standard option (can’t think of an example). Another could be make the more secure option easier to do than the least secure one (like not allowing passwords below a certain limit). Yet another could be to reduce the barrier to entry for the security feature as much as possible. The last thing I can think of is to not affect the user experience at all, but at least provide a secure option for something as a way of educating people (like having some kind of backup application installed by default for folks to think about setting that up).

…

Does this help at all, lol? When I think about all this stuff, here are my three takeaways.

1. We should make things more secure in all the places users won’t notice.
2. We should make good security recommendations without being annoying.
3. We should empower people who want to harden their operating systems to better match their threat models.

And this is the point where my brain starts running out of steam. Hope this can help to think of an objective if the first suggestion doesn’t work.

Better secure boot is on the way as far as i know with introduction of unified kernel approach we can actually have a better robust secureboot.
Brave New Trusted Boot World this approach lookinto the issues of verified boot and solves. A good article by Systemd lead developer Lennart Poettering
And now encryption is nice to have whether it is a full disk or /home with systemd-homed.
And now silverblue is i think already have everything secureboot to other fedora workstation stuff but just immutable.
Better permission management for flatpak apps which is already possible with flatseal.
Now it is on gnome to implement it into settings like what er recently see implemented in kde plasma 27
I already have a community post there addressing the same issue flatseal in gnome settings
And other flatpak related stuff need to be added by flatpak themself. Flathub already made a big move and now they have payment support so we can expect to have a apps from other providers so permission and other safety need to be defined in a better way.

I did run this thread by some collaborators as well and they didn’t have anything else to add.

This makes sense to me, but I think this will be a contentious topic as-worded. There are many areas where Fedora Linux might be considered more secure than macOS, and vice versa. I really want to see improvements in just a few fundamental design areas… consider:

Objective: Fedora Linux adopts modern OS security models.
Impact: Fedora is recommended as the most secure and private OS for desktop users.

“Modern OS security models” mainly referring to sandboxing, app permissions, system integrity validation, better SELinux policies for desktop (most desktop apps seem to be unconfined, so says ps -Z anyways), and maybe some commitment to memory safe programming languages? And I am aware that many of these things are being worked on in one form or another, but I think that Fedora should commit to making them a first-class, default experience that all app developers are utilizing properly.

…maybe “Fedora Linux adopts mobile OS security models” is more clear, because Android/iOS sort of pioneered these technologies?

Then we can validate this objective against https://discussion.fedoraproject.org/t/fedora-strategy-2028-focus-area-review-guidelines/46888:

1. If the Impact is achieved, it’s reasonable to expect an increase in active Fedora contributors.
2. Success in the Objective logically results in the intended Impact.
3. That link is reasonably sufficient — that is, it represents everything needed to have the Impact.

I think that this Objective addresses most if not all of the security concerns with desktop Linux that are commonly cited when evaluating OS choices, and so completing the Objective should remove any reasonable barriers to recommending Fedora from a privacy and security perspective.

4. While there might be other ways to have similar Impact, the chosen Objective is the right one for Fedora right now.

This Objective represents a clear industry trend (outside of the Linux ecosystem) overall. macOS is often cited as a desktop OS which follows security best-practices as described above, Windows is investing a lot of work into similar technologies and Rust for Windows components, and these are already standard on iOS and Android.

I have a feeling that some of these security practices are seen as intrusive on user freedom among some people in the Linux community, but I think that is a misconception stemming from the fact that security features like these have been abused by proprietary platforms in the past to wall-in users. I have total faith that Fedora would be able to steer development towards these security models without infringing on freedom nor compromising on security.

5. The wording is precise and clear. The Objective is concrete, and the Impact is (at least a little bit) inspirational. Together, they fit into this Focus Area.

I’ll leave this for you all to decide. I think that this Objective is aligned with Fedora’s Features and First foundations.

Flatseal is a step forward and I do want to see something like it integrated into GNOME. I think that Flatseal’s permissions aren’t super human-readable though, and IIRC Flatseal allows you to add additional permissions to an app which doesn’t really make sense, but maybe I’m misremembering.

I also want Fedora to be more opinionated about which permissions are considered important, and consult the user accordingly. Take Android for example, which categorizes app permissions into Install-time, Runtime, and Special Permissions.

Part of that does require developer buy-in. Before Google Play had better permission request guidelines for their apps, it was common for Android apps to spam you with requests for every single runtime permission they wanted the first time you opened them, which is not an ideal outcome.

This is the idea sauce, IMO. If we could have something like flatseal as part of the out of box capabilities of Gnome and KDE, that would go a long way.

TIL that KDE actually already ships this feature. This is a win for kinoite over silverblue for out of box privacy/security control, IMO.

https://fosstodon.org/@dropbear42/110080943225279900